RE: Potential issues in XML Schema files pointed out from XML Sig v1.1? from Hal Lockhart on 2015-06-09 (public-xmlsec@w3.org from June 2015)

From: Hal Lockhart <hal.lockhart@oracle.com>
Date: Tue, 9 Jun 2015 08:28:38 -0700 (PDT)
To: Frederick Hirsch <w3c@fjhirsch.com>, Juan Carlos Cruellas <cruellas@ac.upc.edu>
Cc: public-xmlsec@w3.org
Message-ID: <149a0d3e-85c2-4480-92a4-a935e5c6dfb2@default>
My point was that at least in the case of problem #1, no change to the specification is needed or desirable. I presume (based on the existence of the schemalocation attribute) that the W3C has a policy of hosting official specifications so they can be retrieved from the location specified by the schemalocation attribute. Since this is an official specification of the working group which has been properly approved, the schemalocation it specified is the one that the W3C must support, therefore, this is an administrative configuration issue, not an error in the specification.

WRT to problem #2, I have no recollection of how and why it came to be omitted, but I prefer to think we left out schemalocation for exactly the reasons Scott cites. If however, the W3C has a written requirement that all official specifications must provide a schemalocation element, then we should amend this errata. Otherwise I would argue that it is merely a matter of incorrect expectations.

Hal


> -----Original Message-----
> From: Frederick Hirsch [mailto:w3c@fjhirsch.com]
> Sent: Monday, June 08, 2015 3:47 PM
> To: Juan Carlos Cruellas
> Cc: Hal Lockhart; public-xmlsec@w3.org
> Subject: Re: Potential issues in XML Schema files pointed out from XML
> Sig v1.1?
> 
> Juan Carlos
> 
> I think these issues warrant an errata item, so we can consider that.
> Do you have specific proposed fixes for your second item?
> 
> However as Scott and Hal point out, it should not be an implementation
> blocker given that retrievals from the w3c site is not best.
> 
> regards, Frederick
> 
> Frederick Hirsch
> Chair XML Security WG
> 
> fjhirsch.com
> @fjhirsch
> 
> 
> > On Jun 8, 2015, at 1:06 PM, Juan Carlos Cruellas
> <cruellas@ac.upc.edu> wrote:
> >
> > Thanks for this Scott and Hal,
> >
> > I see your point...however, I tend to think that there is no point in
> having a driver file that points to nowhere, and IMHO this should be
> changed to point to the right place: as it is  now it is basically
> making a wrong statement.
> >
> > Also, even if I agree in that security issues would advice that
> implementers get copies of the XML Schema files and get them from their
> local store, to put in xmlsig11 the right pointer to the xmlsig, would
> publicly declare within this XML Schema file where to get that other
> xml schema...then implementers could store them wherever they
> want....or do you think that doing that this could bring some security
> issue for implementers that once downloaded the right xml schema files
> just make use of these locally stored files?
> >
> > Juan Carlos
> > El 08/06/15 a las 17:52, Hal Lockhart escribió:
> >> If you really need this capability, the easiest solution would be to
> ask Admin at W3C to establish the required alias URI.
> >>
> >> As Scott has pointed out, the need to retrieve the schema should be
> rare and not a routine operational process.
> >>
> >> Hal
> >>
> >>> -----Original Message-----
> >>> From: Juan Carlos Cruellas [mailto:cruellas@ac.upc.edu]
> >>> Sent: Monday, June 08, 2015 7:40 AM
> >>> To: public-xmlsec@w3.org
> >>> Subject: Potential issues in XML Schema files pointed out from XML
> >>> Sig v1.1?
> >>>
> >>> Dear all,
> >>>
> >>> When looking at the XML Schema files pointed by XML Sig v1.1 I have
> >>> found the following:
> >>>
> >>> 1. At the so-called "driver" file, at
> >>> http://www.w3.org/TR/xmldsig-core1/xmldsig1-schema.xsd, I have
> >>> noticed the following include:
> >>>
> >>> <include
> >>> schemaLocation="http://www.w3.org/TR/2008/REC-xmldsig-core-
> >>> 20080610/xmldsig-core.xsd"/>
> >>>
> >>> Please note that trying to retrieve a file from the URI within
> >>> schemaLocation attribute results in a file not found error
> >>> (404)....instead making a retrieve operation on
> >>> "http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/xmldsig-core-
> >>> schema.xsd"
> >>> results in the correct file.
> >>>
> >>>
> >>>
> >>>
> >>> 2. At the xml schema file in
> >>> http://www.w3.org/TR/xmldsig-core1/xmldsig11-schema.xsd,
> >>> corresponding to the xml schema for types and elements within
> >>> xmldsig11 namespace, the two first lines are:
> >>>
> >>> <schema targetNamespace="http://www.w3.org/2009/xmldsig11#"
> >>> version="0.1" elementFormDefault="qualified"> <import
> >>> namespace="http://www.w3.org/2000/09/xmldsig#"/>
> >>>
> >>> but the import element does not have the schemaLocation attribute
> >>> that allows applications to automatically retrieve the xml schema
> >>> defining types and elements for xmldsig namespace...shouldn't it be
> >>> such a schemaLocation with a value
> >>> http://www.w3.org/TR/2008/REC-xmldsig-core-
> >>> 20080610/xmldsig-core-schema.xsd?
> >>>
> >>>
> >>> Could you please confirm if you also see them as issues that could
> >>> need to be fixed? and if so, could you please make an estimation on
> >>> how and when they could be fixed?
> >>>
> >>>
> >>> Best regards
> >>>
> >>> Juan Carlos.
> >>>
> >>>
> >
> >
>
Received on Tuesday, 9 June 2015 15:29:43 UTC